Re: source filtering

[Jared Mauch <jared () puck nether net>]

On Tue, Jan 12, 1999 at 05:51:36PM +0000, Alex Bligh wrote:
> >     2) Using the "ip verifiy unicast reverse-path" Cisco feature
> > (it's in 11.1CC images when you use CEF, so I don't get a flood
> > of e-mails)
>
> I'm sure far more people would source filter if Cisco put this
> in CPE routers.

        This does not mean you can't filter on your fastether,
ether, fddi, etc.. that goes to customer aggregation boxes, or on
the T1 where that connectivity hits your core backbone node, (I
understand there are cases where this would not work, for some
larger customers perhaps), but for most cases, this would be possible.

        If i have network topology that provides the following
scenario:

          upstream
             |
        +----------+
        | core rtr |--- N x backbone link(s)
        +----------+
            \
             \ +------------+
              -| access lan |
               +------------+

        Where access lan  is any number of customer aggregation
boxes, such as 36xx w/ t1 intfs, (dial) access boxes, etc, you
can source filter that lan at that point instead of the edge.

        If you manage lans similar to this, you shouldn't allow
your dial customers to spoof and start these attacks.

        - Jared

-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.